Corporate compliance and audit professionals might want to clear your schedules. The former head of security for Twitter has published a stunning whistleblower complaint against the company, alleging all manner of security failures at the social media giant — and that management then lied to the board and regulators about the severity of the problems.
The whistleblower in question is Peiter Zatko, a legend in cybersecurity circles who goes by the nickname “Mudge.” He served as head of security for Twitter from November 2020 until he was fired in January of this year. Mudge filed a whistleblower complaint to Congress, the Securities and Exchange Commission, and other federal agencies in July; and the Washington Post and CNN broke the story of his allegations on Tuesday.
Compliance and audit executives have much to ponder here. Mudge raises grave allegations of corporate misconduct, and makes some excellent points about flawed approaches to data protection and cybersecurity along the way. Clearly his complaint will play a role in the lawsuit between Twitter and Elon Musk about his on again, off again attempt to buy the company; but even aside from that spectacle, there are plenty of cautionary tales in Mudge’s complaint that deserve our attention.
- Twitter could never map out and identify sensitive data, including personally identifiable information, which meant that the company couldn’t comply with consent decrees about using security-related PII for advertising purposes.
- The executive team intercepted a security audit Mudge had commissioned, directing the auditors to send their report to an outside law firm. The law firm then scrubbed embarrassing information about security weaknesses the auditors had found and provided a “clean” report to present to Mudge.
- Twitter CEO Parag Agrawal deliberately kept other embarrassing information from the board about the management team’s inability to improve Twitter’s security and process integrity flaws.
- The company had no effective policies and procedures to manage insider threats from employees, including no Bring Your Own Device policies and no ability to prevent employees from disabling security software on their work stations.
We can explore all those specific allegations (and many more) in a series of posts over time. For now, we can start with the top — poor oversight from Twitter’s board and a dysfunctional control environment from senior management.
It All Starts With Priorities
First, let’s remember why people should care about Mudge’s allegations at all: because Twitter is a tremendously influential company. At the start of his complaint, Mudge rightly points out that with poor governance and practices, Twitter could be infiltrated from outsiders to provoke disaster — literal disaster, such as market collapses or armed conflict. It’s not far-fetched to imagine a world where, thanks to weak cybersecurity, attackers use Twitter to dupe world leaders and the public into taking actions that get people killed.
I don’t have good answers for how to solve the threat of disinformation; I’m not sure anybody does. But the point remains that if your company has such influence and power, then the board and senior management must take that responsibility as seriously as they can. They need to ask themselves: “What is the most important thing for us to get right?”
Increasingly for technology companies, and absolutely for social media companies, the most important thing they need to get right is security and process integrity.
Mudge has raised allegations that Twitter isn’t doing that. So I keep wondering — where was the board? Indeed, who was the board? Did they even have the right experience and understanding exercise the necessary oversight for a company like Twitter?
Anyone can read the biographies for Twitter’s board of directors if you like. I did, and it seems to me that the board isn’t properly constituted for an organization where security and process integrity are the paramount concerns. The board (nine people) is filled with big thinkers on artificial intelligence, business development in the tech sector, and financial acumen.
What I don’t see in any of those biographies is anything about security or privacy. Indeed, I couldn’t help but think that Mudge was misplaced at Twitter. Rather than run security for the company, he should have been on the board himself. His insistence on raising difficult questions with executives would have been fantastic for board service.
Ironically, those same qualities led to disastrous relations between Mudge the in-house executive and the rest of the management team. He was hired by former CEO Jack Dorsey in 2020. Then, according to Mudge, Dorsey became an increasingly disengaged leader throughout 2021, until Dorsey stepped down as CEO in November of that year. Dorsey was succeeded by current CEO Agrawal, a long-time Twitter executive who had been chief technology officer since 2017 — and who would be responsible for a lot of the issues that Mudge has raised.
All the allegations included in Mudge’s complaint — sloppy access controls, no effective policies or procedures for system integrity, important information withheld from the board, spies for foreign intelligence services knowingly allowed to work at the company, and much more — they all flow the poor governance and ineffective leadership at the top. Those executives and their skills were misaligned with the most important thing that Twitter needed to get right: cybersecurity and system integrity.
What Happens Next
As I mentioned, in coming weeks we can dissect the specific compliance and privacy failures Mudge alleges, to distill lessons that compliance and audit professionals can put to use in your own organization. For now, however, several Big Questions remain at the fore.
What investigations will arise because of the Mudge report? Mudge and his whistleblowing team (the same group that represents Frances Haugen, the Facebook whistleblower) sent the report to the Securities and Exchange Commission, the Federal Trade Commission, and the Justice Department. The allegations are explosive enough that all three could, and should, launch formal probes. In particular, if Mudge’s allegations are true, then CEO Agrawal might even face criminal exposure.
How will this affect Elon Musk’s abortive takeover offer and the ensuing litigation? One of Mudge’s primary allegations is that Twitter was misleading everyone about the number of bots and spam accounts on its platform. Well, that’s what Musk argued when he announced that he was bailing out of his $44 billion takeover offer. So will Mudge’s complaint help him wriggle out of the lawsuit Twitter filed to compel Musk to complete the transaction?
For the record, Mudge’s lawyers say Mudge has not been in contact with Musk, and that Mudge began compiling his whistleblower complaint before Musk announced his takeover bid this spring. Frankly, given Musk’s long history of stretching the truth, I’m not sure what to believe here.
How will the board respond? At the least, the board should commission an independent review to determine how many of Mudge’s allegations about poor security are true. Mudge also raises allegations against Agrawal that, if true, should result in Agrawal getting fired. (The complaint has considerable redactions, too; so it may well be that other executives should follow Agrawal out the door.)
I’d also be curious whether the board will try to bring on new directors with more extensive cybersecurity expertise. Or if the board doesn’t take such action, will shareholders demand it? (The biggest shareholders are Vanguard, Morgan Stanley, and Musk himself.)
Quite simply, Twitter has a gigantic mess on its hands. Obviously the board and senior management need to figure out how to clean it up. They’d do well to ponder how this came to pass, too.